[英]How can I extract the salt out of bcrypt hash passwords in php?
My database stores the bcrypt passwords which means that the salt should be stored with in the password field. 我的数据库存储了bcrypt密码,这意味着salt应该存储在密码字段中。 I don't want to make a separate field to store the salt by itself when it is not necessary.
我不想在没有必要时单独存储盐来存储盐。 However when I want to compare passwords that the user sends to me to the passwords stored in the database, I need to hash the incoming password with the same salt.
但是,当我想将用户发送给我的密码与存储在数据库中的密码进行比较时,我需要使用相同的盐来哈希传入的密码。 Question: what part of the stored hash is the salt?
问题:存储哈希的哪一部分是盐? I think I could just return the salt using simple substr().
我想我可以使用简单的substr()返回salt。
// password stored in database.
$user->password_hash = password_hash($password, PASSWORD_BCRYPT, array('cost' => 13));
// password from form being compared to form password
$form_password_hash = password_hash($data['form-password'], PASSWORD_BCRYPT, array('cost' => 13));
if($user->getPasswordHash() == $form_password_hash)
{
$user->setPassword($data['new-password']);
return new Response("Your password has been changed");
}
You need to use the password_verify
function. 您需要使用
password_verify
函数。 This function will parse the hashed password string to find the salt and perform the calculation. 此函数将解析散列密码字符串以查找salt并执行计算。
if (password_verify($data['form-password'], $user->getPasswordHash())) {
echo 'Password is correct';
}
Salt is the first 22 characters after the third $
in the hash: Salt是散列中第三个
$
之后的前22个字符:
$2y$13$<this is the salt, 22 chars><this is the password hash>
But you should not manually extract the salt to verify the password - use the password_verify function . 但是你不应该手动提取盐来验证密码 - 使用password_verify函数 。 It takes the password the user entered as the first argument, and the complete hash as the second argument, and handles the salt correctly.
它将用户输入的密码作为第一个参数,将完整的哈希作为第二个参数,并正确处理盐。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.